Legal risks for phishing researchers

Researchers are increasingly turning to live, dasiain the wildpsila phishing studies of users, who unknowingly participate without giving informed consent. Such studies can expose researchers to a number of unique, and fairly significant legal risks. This paper will present four case studies highlighting the steps that researchers have taken to avoid legal problems, and to highlight the legal risks that they were unable to avoid. It then provides a high-level introduction to a few particularly dangerous areas of American law. Finally, it concludes with a series of best practices that may help researchers to avoid legal trouble, however, this information should not be taken as legal advice.

[1]  Simson L. Garfinkel,et al.  IRBs and Security Research: Myths, Facts and Mission Creep , 2008, UPSEC.

[2]  Markus Jakobsson,et al.  Why and How to Perform Fraud Experiments , 2008, IEEE Security & Privacy.

[3]  John Tehranian,et al.  Infringement Nation: Copyright Reform and the Law/Norm Gap , 2007 .

[4]  P. Samuelson,et al.  The Law and Economics of Reverse Engineering , 2002 .

[5]  Dirk Grunwald,et al.  Legal issues surrounding monitoring during network research , 2007, IMC '07.

[6]  Yimei Guo,et al.  Legal risks and solutions to e-marketers' data mining , 2005, Proceedings of ICSSSM '05. 2005 International Conference on Services Systems and Services Management, 2005..

[7]  Pamela Samuelson,et al.  Unsolicited communications as trespass? , 2003, CACM.

[8]  Robert J. Aalberts,et al.  Trespass, nuisance, and spam: 11th century common law meets the internet , 2007, CACM.

[9]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[10]  David A. Wagner,et al.  A User Study Design for Comparing the Security of Registration Protocols , 2008, UPSEC.

[11]  Markus Jakobsson,et al.  The Threat of Political Phishing , 2008, HAISA.

[12]  Peter A. Jaszi,et al.  Code of Best Practices in Fair Use for OnLine Video , 2008 .

[13]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[14]  Bruce Schneier,et al.  Two-factor authentication: too little, too late , 2005, CACM.

[15]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[16]  Orin S. Kerr Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes , 2003 .

[17]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[18]  Markus Jakobsson,et al.  Using Cartoons to Teach Internet Security , 2008, Cryptologia.

[19]  Min Wu,et al.  Reading Between the Lines: Lessons from the SDMI Challenge , 2001, USENIX Security Symposium.